winbind support
Greetings, Any chance that the winbind and NTML auth patches for Samba[1] & Squid[2] will be incorporated into the port? I was hoping to use NTLM authentication with DansGuardian and Squid. Thanks! [1] http://marc.info/?l=openbsd-ports&m=115920525425787&w=2 [2] http://marc.info/?l=openbsd-ports&m=115920576932016&w=2 -Steve S.
Re: [PATCH] NTLM/winbind support for squid
On Fri, Oct 27, 2006 at 01:07:55PM +0200, Thomas Schoeller wrote: > i have not tried you patch. but i did something similar to this. and it > runs fine in production for 6months. PLIST should be updated. i will do > this when i got some time. > i would be really happy if this goes into the cvs. > > thomas > > On Thu, Oct 26, 2006 at 04:30:06PM -0200, Eduardo Alvarenga wrote: > > 2006/9/25, Eduardo Alvarenga <[EMAIL PROTECTED]>: > > >2006/9/25, Antoine Jacoutot <[EMAIL PROTECTED]>: > > >> On Mon, 25 Sep 2006, Eduardo Alvarenga wrote: > > >> > +FLAVORS= transparent snmp ntlm-winbind > > >> > > >> I don't think "ntlm-winbind" is a correct syntax. > > >> Either use "ntlm" or "winbind". > > > > > >Well, It can be ntlm or even ntlmssp. > > >But just "winbind" may confuse people I think. > > > > > >I'd like to have feedbacks about the patch. > > >Since I'm not subscribed to ports@, please be gentle and CC me too. > > > > Did anyone cared about this patch? > > It is really useful. Worth trying. > > > > -- > > Eduardo Alvarenga
Re: [PATCH] NTLM/winbind support for squid
2006/9/25, Eduardo Alvarenga <[EMAIL PROTECTED]>: 2006/9/25, Antoine Jacoutot <[EMAIL PROTECTED]>: > On Mon, 25 Sep 2006, Eduardo Alvarenga wrote: > > +FLAVORS= transparent snmp ntlm-winbind > > I don't think "ntlm-winbind" is a correct syntax. > Either use "ntlm" or "winbind". Well, It can be ntlm or even ntlmssp. But just "winbind" may confuse people I think. I'd like to have feedbacks about the patch. Since I'm not subscribed to ports@, please be gentle and CC me too. Did anyone cared about this patch? It is really useful. Worth trying. -- Eduardo Alvarenga
Re: [PATCH] Winbind support for samba
On Fri, Oct 06, 2006 at 11:35:30AM -0300, Eduardo Alvarenga wrote: > 2006/10/6, Thomas Schoeller <[EMAIL PROTECTED]>: > >hello again, > >i have tested it without -lcrypto but the configure aborts. > >can someone enlight me why its it not working. > >thanks in advance > >thomas > > > >checking for Active Directory and krb5 support... yes > >checking for ldap_initialize... yes > >checking for ldap_add_result_entry... yes > >checking for kerberos 5 install path... no krb5-path given > >checking for krb5-config... > > >checking for keyblock in krb5_keytab_entry... yes > >checking for magic in krb5_address... no > >configure: error: libkrb5 is needed for Active Directory support > >*** Error code 1 > > > >Stop in /usr/ports/net/samba_winbind (line 1931 of > >/usr/ports/infrastructure/mk/ > >bsd.port.mk). > > Why are you trying to avoid libcrypto? > It IS necessary. because i read the "OpenBSD Proting Policy" and there is mentioned that -lcrypt is not necessary, and i overlooked the "o" in -lcrypto. sorry for the trouble > > > Regards, > > -- > Eduardo Alvarenga
Re: [PATCH] Winbind support for samba
2006/10/6, Thomas Schoeller <[EMAIL PROTECTED]>: hello again, i have tested it without -lcrypto but the configure aborts. can someone enlight me why its it not working. thanks in advance thomas checking for Active Directory and krb5 support... yes checking for ldap_initialize... yes checking for ldap_add_result_entry... yes checking for kerberos 5 install path... no krb5-path given checking for krb5-config... checking for keyblock in krb5_keytab_entry... yes checking for magic in krb5_address... no configure: error: libkrb5 is needed for Active Directory support *** Error code 1 Stop in /usr/ports/net/samba_winbind (line 1931 of /usr/ports/infrastructure/mk/ bsd.port.mk). Why are you trying to avoid libcrypto? It IS necessary. Regards, -- Eduardo Alvarenga
Re: [PATCH] Winbind support for samba
hello again, i have tested it without -lcrypto but the configure aborts. can someone enlight me why its it not working. thanks in advance thomas checking for Active Directory and krb5 support... yes checking for ldap_initialize... yes checking for ldap_add_result_entry... yes checking for kerberos 5 install path... no krb5-path given checking for krb5-config... /usr/ports/net/samba_winbind/w-samba-3.0.23c-winbind /bin/krb5-config checking for working krb5-config... yes checking krb5.h usability... yes checking krb5.h presence... yes checking for krb5.h... yes checking gssapi.h usability... yes checking gssapi.h presence... yes checking for gssapi.h... yes checking gssapi/gssapi_generic.h usability... no checking gssapi/gssapi_generic.h presence... no checking for gssapi/gssapi_generic.h... no checking gssapi/gssapi.h usability... no checking gssapi/gssapi.h presence... no checking for gssapi/gssapi.h... no checking com_err.h usability... yes checking com_err.h presence... yes checking for com_err.h... yes checking for _et_list in -lcom_err... no checking for krb5_encrypt_data in -lk5crypto... no checking for des_set_key in -lcrypto... no checking for copy_Authenticator in -lasn1... no checking for roken_getaddrinfo_hostspec in -lroken... no checking for gss_display_status in -lgssapi... no checking for krb5_mk_req_extended in -lkrb5... no checking for krb5_kt_compare in -lkrb5... no checking for gss_display_status in -lgssapi_krb5... no checking for krb5_set_real_time... no checking for krb5_set_default_in_tkt_etypes... no checking for krb5_set_default_tgs_ktypes... no checking for krb5_principal2salt... no checking for krb5_use_enctype... no checking for krb5_string_to_key... no checking for krb5_get_pw_salt... no checking for krb5_string_to_key_salt... no checking for krb5_auth_con_setkey... no checking for krb5_auth_con_setuseruserkey... no checking for krb5_locate_kdc... no checking for krb5_get_permitted_enctypes... no checking for krb5_get_default_in_tkt_etypes... no checking for krb5_free_ktypes... no checking for krb5_free_data_contents... no checking for krb5_principal_get_comp_string... no checking for krb5_free_unparsed_name... no checking for krb5_free_keytab_entry_contents... no checking for krb5_kt_free_entry... no checking for krb5_krbhst_get_addrinfo... no checking for krb5_c_enctype_compare... no checking for krb5_enctypes_compatible_keys... no checking for krb5_crypto_init... no checking for krb5_crypto_destroy... no checking for krb5_decode_ap_req... no checking for decode_krb5_ap_req... no checking for krb5_free_ap_req... no checking for free_AP_REQ... no checking for krb5_c_verify_checksum... no checking for krb5_principal_compare_any_realm... no checking for krb5_parse_name_norealm... no checking for krb5_princ_size... no checking for krb5_get_init_creds_opt_set_pac_request... no checking for krb5_get_renewed_creds... no checking for krb5_get_kdc_cred... no checking for krb5_free_error_contents... no checking whether krb5_verify_checksum takes 7 arguments... 6 checking for checksum in krb5_checksum... yes checking for etype in EncryptedData... yes checking for ticket pointer in krb5_ap_req... no checking for e_data pointer in krb5_error... yes checking for krb5_crypto type... yes checking for krb5_encrypt_block type... no checking for addrtype in krb5_address... no checking for addr_type in krb5_address... yes checking for enc_part2 in krb5_ticket... no checking for keyblock in krb5_creds... no checking for session in krb5_creds... yes checking for keyvalue in krb5_keyblock... yes checking for ENCTYPE_ARCFOUR_HMAC_MD5... yes checking for KEYTYPE_ARCFOUR_56... yes checking for AP_OPTS_USE_SUBKEY... yes checking for KV5M_KEYTAB... no checking for KRB5_KU_OTHER_CKSUM... yes checking for KRB5_KEYUSAGE_APP_DATA_CKSUM... no checking for the krb5_princ_component macro... no checking for key in krb5_keytab_entry... no checking for keyblock in krb5_keytab_entry... yes checking for magic in krb5_address... no configure: error: libkrb5 is needed for Active Directory support *** Error code 1 Stop in /usr/ports/net/samba_winbind (line 1931 of /usr/ports/infrastructure/mk/ bsd.port.mk). On Thu, Oct 05, 2006 at 09:06:26PM +0200, Thomas Schoeller wrote: > the howto is still in development. i will try it on a clean machine when > i got some time. > and i forgot the patch to attach. > > thanks for your comments > > On Thu, Oct 05, 2006 at 03:58:46PM -0300, Eduardo Alvarenga wrote: > > 2006/10/5, Thomas Schoeller <[EMAIL PROTECTED]>: > > >hello, > > >i tested this patch, and used something similar to this patch for some > > >month in production, too. > > >i have have updated the patch to use the new -current version of samba > > >and added some plist glue. > > >i know that openbsd does not require -lcrypt but i dont tested it > > >without it. i do test this tomorrow if it works without -lcrypt. > > >tomorrow i will also test this on macppc. > > >i've done something like a howto for this too > > >ht
Re: [PATCH] Winbind support for samba
the howto is still in development. i will try it on a clean machine when i got some time. and i forgot the patch to attach. thanks for your comments On Thu, Oct 05, 2006 at 03:58:46PM -0300, Eduardo Alvarenga wrote: > 2006/10/5, Thomas Schoeller <[EMAIL PROTECTED]>: > >hello, > >i tested this patch, and used something similar to this patch for some > >month in production, too. > >i have have updated the patch to use the new -current version of samba > >and added some plist glue. > >i know that openbsd does not require -lcrypt but i dont tested it > >without it. i do test this tomorrow if it works without -lcrypt. > >tomorrow i will also test this on macppc. > >i've done something like a howto for this too > >https://tiifp.org/quentin/squid.html > >any comments and testing are welcome. > > Nice article. > > But please note that you MUST patch squid[1] too. The current howto[2] > pointed in your document assumes you already have winbind as one of > the auth-helpers for squid since it is based on Gentoo Linux. > > [1] http://marc.theaimsgroup.com/?l=openbsd-ports&m=115920576932016&w=2 > [2] http://mkeadle.org/index.php?p=13 > > Maybe you can adapt it on you how-to. Would be a great improvement. > > > Best Regards, > > -- > Eduardo Alvarenga diff -r -u -N samba/Makefile samba_winbind/Makefile --- samba/Makefile Tue Oct 3 16:07:10 2006 +++ samba_winbind/Makefile Tue Sep 26 05:51:14 2006 @@ -61,7 +61,7 @@ CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/include" \ LDFLAGS="-L${LOCALBASE}/lib -Wl,--export-dynamic" -FLAVORS=cups ldap +FLAVORS=cups ldap winbind FLAVOR?= MULTI_PACKAGES= -docs @@ -80,8 +80,15 @@ CONFIGURE_ARGS+= --with-ldap --without-ads LIB_DEPENDS+= ldap,lber::databases/openldap \ utf8::misc/libutf8 +.endif + +.if ${FLAVOR:L:Mwinbind} +CONFIGURE_ARGS+= --with-ldap --with-ads --with-winbind +LIB_DEPENDS+= ldap,lber::databases/openldap \ + utf8::misc/libutf8 +WANTLIB+= gssapi krb5 .else -CONFIGURE_ARGS+= --without-ldap --without-ads +CONFIGURE_ARGS+= --without-ldap --without-ads --without-winbind .endif .if defined(PACKAGING) && ${SUBPACKAGE} == "-docs" @@ -101,6 +108,12 @@ ${WRKSRC}/../docs/registry/*.reg SAMPLE_CONFIG= ${PREFIX}/share/examples/samba/smb.conf.default + +.if ${FLAVOR:L:Mwinbind} +post-extract: + @cp ${FILESDIR}/krb5-config ${WRKDIR}/bin + @chmod a+x ${WRKDIR}/bin/krb5-config +.endif post-install: ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/samba/pdf diff -r -u -N samba/files/krb5-config samba_winbind/files/krb5-config --- samba/files/krb5-config Thu Jan 1 01:00:00 1970 +++ samba_winbind/files/krb5-config Tue Sep 26 02:08:42 2006 @@ -0,0 +1,9 @@ +#! /bin/sh + +case x$1 in +x--libs) + echo '-lgssapi -lkrb5 -lasn1 -lcrypto';; +x--cflags) + echo '-I/usr/include/kerberosV';; +esac +exit 0 diff -r -u -N samba/files/krb5-config.orig samba_winbind/files/krb5-config.orig diff -r -u -N samba/pkg/PFRAG.winbind samba_winbind/pkg/PFRAG.winbind --- samba/pkg/PFRAG.winbind Thu Jan 1 01:00:00 1970 +++ samba_winbind/pkg/PFRAG.winbind Tue Sep 26 06:47:56 2006 @@ -0,0 +1,3 @@ [EMAIL PROTECTED] $OpenBSD: PFRAG.winbind,v 1.1 2006/10/05 14:35:54 ts Exp $ +libexec/winbindd +bin/wbinfo diff -r -u -N samba/pkg/PLIST samba_winbind/pkg/PLIST --- samba/pkg/PLIST Tue Oct 3 16:07:10 2006 +++ samba_winbind/pkg/PLIST Tue Sep 26 07:29:33 2006 @@ -104,3 +104,4 @@ share/swat/include/header.html @sample /var/spool/samba/ %%SHARED%% +%%winbind%%
Re: [PATCH] Winbind support for samba
2006/10/5, Thomas Schoeller <[EMAIL PROTECTED]>: hello, i tested this patch, and used something similar to this patch for some month in production, too. i have have updated the patch to use the new -current version of samba and added some plist glue. i know that openbsd does not require -lcrypt but i dont tested it without it. i do test this tomorrow if it works without -lcrypt. tomorrow i will also test this on macppc. i've done something like a howto for this too https://tiifp.org/quentin/squid.html any comments and testing are welcome. Nice article. But please note that you MUST patch squid[1] too. The current howto[2] pointed in your document assumes you already have winbind as one of the auth-helpers for squid since it is based on Gentoo Linux. [1] http://marc.theaimsgroup.com/?l=openbsd-ports&m=115920576932016&w=2 [2] http://mkeadle.org/index.php?p=13 Maybe you can adapt it on you how-to. Would be a great improvement. Best Regards, -- Eduardo Alvarenga
Re: [PATCH] Winbind support for samba
hello, i tested this patch, and used something similar to this patch for some month in production, too. i have have updated the patch to use the new -current version of samba and added some plist glue. i know that openbsd does not require -lcrypt but i dont tested it without it. i do test this tomorrow if it works without -lcrypt. tomorrow i will also test this on macppc. i've done something like a howto for this too https://tiifp.org/quentin/squid.html any comments and testing are welcome. best regards thomas On Mon, Sep 25, 2006 at 02:24:45PM -0300, Eduardo Alvarenga wrote: > Hi, > > This patch makes samba support winbind. > > Note that this will not make your Windows users appear on you OpenBSD > environment. This is not winbind's work. > > This patch is a requirement for the squid-ntlm-winbind patch I'll send > further. > I'm running this for about 1 year in production with zero problems. > > Note that I did not 'update-plist' anything, and did not touch the > MESSAGE file either. > > But it could be something like this: > -- > $ sudo ${LOCALBASE}/libexec/winbindd # start the samba winbind daemon > -- > > -- > diff -urN samba/Makefile samba.winbind/Makefile > --- samba/Makefile Wed Aug 9 09:54:04 2006 > +++ samba.winbind/Makefile Mon Sep 25 13:01:53 2006 > @@ -62,7 +62,7 @@ > CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/include" \ >LDFLAGS="-L${LOCALBASE}/lib -Wl,--export-dynamic" > > -FLAVORS=cups ldap > +FLAVORS=cups ldap winbind > FLAVOR?= > > MULTI_PACKAGES= -docs > @@ -81,8 +81,15 @@ > CONFIGURE_ARGS+= --with-ldap --without-ads > LIB_DEPENDS+= ldap,lber::databases/openldap \ >utf8::misc/libutf8 > +.endif > + > +.if ${FLAVOR:L:Mwinbind} > +CONFIGURE_ARGS+= --with-ldap --with-ads --with-winbind > +LIB_DEPENDS+= ldap,lber::databases/openldap \ > + utf8::misc/libutf8 > +WANTLIB+= gssapi krb5 > .else > -CONFIGURE_ARGS+= --without-ldap --without-ads > +CONFIGURE_ARGS+= --without-ldap --without-ads --without-winbind > .endif > > .if defined(PACKAGING) && ${SUBPACKAGE} == "-docs" > @@ -102,6 +109,12 @@ > ${WRKSRC}/../docs/registry/*.reg > > SAMPLE_CONFIG= ${PREFIX}/share/examples/samba/smb.conf.default > + > +.if ${FLAVOR:L:Mwinbind} > +post-extract: > + @cp ${FILESDIR}/krb5-config ${WRKDIR}/bin > + @chmod a+x ${WRKDIR}/bin/krb5-config > +.endif > > post-install: >${INSTALL_DATA_DIR} ${PREFIX}/share/doc/samba/pdf > diff -urN samba/files/krb5-config samba.winbind/files/krb5-config > --- samba/files/krb5-config Wed Dec 31 21:00:00 1969 > +++ samba.winbind/files/krb5-config Mon Sep 25 12:39:02 2006 > @@ -0,0 +1,9 @@ > +#! /bin/sh > + > +case x$1 in > +x--libs) > + echo '-lgssapi -lkrb5 -lasn1 -lcrypto';; > +x--cflags) > + echo '-I/usr/include/kerberosV';; > +esac > +exit 0 > -- > > Please apply it with p1. > > Regards, > > -- > Eduardo Alvarenga
Re: [PATCH] NTLM/winbind support for squid
2006/9/25, Antoine Jacoutot <[EMAIL PROTECTED]>: On Mon, 25 Sep 2006, Eduardo Alvarenga wrote: > +FLAVORS= transparent snmp ntlm-winbind I don't think "ntlm-winbind" is a correct syntax. Either use "ntlm" or "winbind". Well, It can be ntlm or even ntlmssp. But just "winbind" may confuse people I think. I'd like to have feedbacks about the patch. Since I'm not subscribed to ports@, please be gentle and CC me too. -- Eduardo Alvarenga
Re: [PATCH] NTLM/winbind support for squid
On Mon, 25 Sep 2006, Eduardo Alvarenga wrote: +FLAVORS= transparent snmp ntlm-winbind I don't think "ntlm-winbind" is a correct syntax. Either use "ntlm" or "winbind". -- Antoine
[PATCH] NTLM/winbind support for squid
Hi, This patch implements NTLM(v2)/SSP support for squid. I'm running it on production environment for more than 1 year without any problems. Please note that no update to MESSAGE or 'update-plist' was done. I'm really not certain how to implement it correctly so I'll keep it with the maintainers. And please note that you must have winbind already configured and running (no need for smbd or nmbd) before running squid. squid.conf entries like: -- auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp--domain='DOMAIN' auth_param basic children 10 auth_param basic realm Please type your username and password auth_param basic credentialsttl 2 hours -- -- diff -urN squid/Makefile squid.winbind/Makefile --- squid/Makefile Mon Jun 19 08:49:26 2006 +++ squid.winbind/Makefile Mon Sep 25 10:13:57 2006 @@ -21,7 +21,7 @@ SQUIDDIR?= /var/squid SUBST_VARS=SQUIDDIR -FLAVORS= transparent snmp +FLAVORS= transparent snmp ntlm-winbind FLAVOR?= .include @@ -53,6 +53,18 @@ .if${FLAVOR:L:Msnmp} CONFIGURE_ARGS+=--enable-snmp +.endif + +.if${FLAVOR:L:Mntlm-winbind} +CONFIGURE_ARGS+=--enable-auth="basic digest ntlm" \ + --enable-basic-auth-helpers="NCSA YP winbind" \ + --enable-ntlm-auth-helpers="winbind" \ + --enable-external-acl-helpers="ip_user unix_group wbinfo_group" +LIB_DEPENDS+= smbclient::net/samba,winbind +.else +CONFIGURE_ARGS+=--enable-auth="basic digest" \ + --enable-basic-auth-helpers="NCSA YP" \ + --enable-external-acl-helpers="ip_user unix_group" .endif post-install: diff -urN squid/pkg/DESCR squid.winbind/pkg/DESCR --- squid/pkg/DESCR Fri Jun 11 05:00:36 2004 +++ squid.winbind/pkg/DESCR Mon Sep 25 10:15:57 2006 @@ -14,3 +14,4 @@ Flavors: transparent - Support for transparent proxying snmp - Support for SNMP + ntlm-winbind - Support for NTLM/Winbind authentication -- Regards, -- Eduardo Alvarenga
[PATCH] Winbind support for samba
Hi, This patch makes samba support winbind. Note that this will not make your Windows users appear on you OpenBSD environment. This is not winbind's work. This patch is a requirement for the squid-ntlm-winbind patch I'll send further. I'm running this for about 1 year in production with zero problems. Note that I did not 'update-plist' anything, and did not touch the MESSAGE file either. But it could be something like this: -- $ sudo ${LOCALBASE}/libexec/winbindd # start the samba winbind daemon -- -- diff -urN samba/Makefile samba.winbind/Makefile --- samba/Makefile Wed Aug 9 09:54:04 2006 +++ samba.winbind/Makefile Mon Sep 25 13:01:53 2006 @@ -62,7 +62,7 @@ CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/include" \ LDFLAGS="-L${LOCALBASE}/lib -Wl,--export-dynamic" -FLAVORS=cups ldap +FLAVORS=cups ldap winbind FLAVOR?= MULTI_PACKAGES= -docs @@ -81,8 +81,15 @@ CONFIGURE_ARGS+= --with-ldap --without-ads LIB_DEPENDS+= ldap,lber::databases/openldap \ utf8::misc/libutf8 +.endif + +.if ${FLAVOR:L:Mwinbind} +CONFIGURE_ARGS+= --with-ldap --with-ads --with-winbind +LIB_DEPENDS+= ldap,lber::databases/openldap \ + utf8::misc/libutf8 +WANTLIB+= gssapi krb5 .else -CONFIGURE_ARGS+= --without-ldap --without-ads +CONFIGURE_ARGS+= --without-ldap --without-ads --without-winbind .endif .if defined(PACKAGING) && ${SUBPACKAGE} == "-docs" @@ -102,6 +109,12 @@ ${WRKSRC}/../docs/registry/*.reg SAMPLE_CONFIG= ${PREFIX}/share/examples/samba/smb.conf.default + +.if ${FLAVOR:L:Mwinbind} +post-extract: + @cp ${FILESDIR}/krb5-config ${WRKDIR}/bin + @chmod a+x ${WRKDIR}/bin/krb5-config +.endif post-install: ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/samba/pdf diff -urN samba/files/krb5-config samba.winbind/files/krb5-config --- samba/files/krb5-config Wed Dec 31 21:00:00 1969 +++ samba.winbind/files/krb5-config Mon Sep 25 12:39:02 2006 @@ -0,0 +1,9 @@ +#! /bin/sh + +case x$1 in +x--libs) + echo '-lgssapi -lkrb5 -lasn1 -lcrypto';; +x--cflags) + echo '-I/usr/include/kerberosV';; +esac +exit 0 -- Please apply it with p1. Regards, -- Eduardo Alvarenga